GNU bug report logs - #31935
2 crashes in diffutills commit version 576645c

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31935 in the body.
You can then email your comments to 31935 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Hongxu Chen <leftcopy.chx <at> gmail.com>
To: bug-diffutils <at> gnu.org
Subject: 2 crashes in diffutills commit version 576645c
Date: Fri, 22 Jun 2018 14:49:47 +0800

[Message part 1 (text/plain, inline)]

Hello,

    We found with our fuzzer 2 crashes on diffutils version 576645c: one is
a heap-buffer-overflow at util.c:1249, another is an invalid read resulting
from `output_1_line' at util.c:1274.
    The executing command is: `./diff -a --strip-trailing-cr $file
add.wasm` where $file is the poc file (I attached them as  *.input.txt);
"add.wasm" is also attached however it seems that content of the comparison
file is not important.

    The Address Sanitizer outputs (attached as "*.err.SIG06") are:

    =================================================================
==8310==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000000ff at pc 0x00000055108a bp 0x7ffdc5af8650 sp 0x7ffdc5af8648
READ of size 1 at 0x6210000000ff thread T0
    #0 0x551089 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44
    #1 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
    #2 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
    #3 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
    #4 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
    #5 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
    #6 0x7f7a0e14fb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)

0x6210000000ff is located 1 bytes to the left of 4096-byte region
[0x621000000100,0x621000001100)
allocated by thread T0 here:
    #0 0x4d2d60 in malloc
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x4d2d60)
    #1 0x583120 in xmalloc
/home/hongxu/FOT/diffutils-fuzz/lib/xmalloc.c:41:13

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44 in print_1_line_nl
Shadow bytes around the buggy address:
  0x0c427fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c427fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8310==ABORTING

and:

ASAN:DEADLYSIGNAL
=================================================================
==8313==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000100d4 (pc
0x7f367ca57c40 bp 0x000000000400 sp 0x7ffeebd7e358 T0)
==8313==The signal is caused by a READ memory access.
    #0 0x7f367ca57c3f
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
    #1 0x7f367c954993 in _IO_file_xsputn
/build/glibc-OTsEL5/glibc-2.27/libio/fileops.c:1258
    #2 0x7f367c95351f in fwrite_unlocked
/build/glibc-OTsEL5/glibc-2.27/libio/iofwrite_u.c:43
    #3 0x551dc4 in output_1_line
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1274:28
    #4 0x550d24 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:3
    #5 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
    #6 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
    #7 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
    #8 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
    #9 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
    #10 0x7f367c8eab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370

==8313==ABORTING

glibc version is 2.27 and it's a Ubuntu 18.04 LTS (Linux C10
4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64
x86_64 GNU/Linux) machine.


Best Regards,
Hongxu

[Message part 2 (text/html, inline)]

[hbo_util.c:1249_1.input.txt (text/plain, attachment)]

[hbo_util.c:1249_2.input.txt (text/plain, attachment)]

[hbo_util.c:1249_2.err.SIG06 (application/octet-stream, attachment)]

[hbo_util.c:1249_1.err.SIG06 (application/octet-stream, attachment)]

[read_util.c:1274:28_1.err.SIG06 (application/octet-stream, attachment)]

[read_util.c:1274:28_1.input.txt (text/plain, attachment)]

[read_util.c:1274:28_2.err.SIG06 (application/octet-stream, attachment)]

[read_util.c:1274:28_2.input.txt (text/plain, attachment)]

[add.wasm (application/octet-stream, attachment)]

Message #8 received at 31935 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Hongxu Chen <leftcopy.chx <at> gmail.com>
Cc: 31935 <at> debbugs.gnu.org
Subject: Re: [bug-diffutils] bug#31935: 2 crashes in diffutills commit version
 576645c
Date: Fri, 28 Dec 2018 17:13:10 -0800

[Message part 1 (text/plain, inline)]

On Fri, Jun 22, 2018 at 7:49 AM Hongxu Chen <leftcopy.chx <at> gmail.com> wrote:
>     We found with our fuzzer 2 crashes on diffutils version 576645c: one is a heap-buffer-overflow at util.c:1249, another is an invalid read resulting from `output_1_line' at util.c:1274.
>     The executing command is: `./diff -a --strip-trailing-cr $file add.wasm` where $file is the poc file (I attached them as  *.input.txt); "add.wasm" is also attached however it seems that content of the comparison file is not important.

Thank you for fuzz-testing diffutils.
FYI, here is a reproducer for the limit[-1]-related UMR bugs:

  valgrind src/diff -a --strip-trailing-cr <(printf '\r') <(echo a)

I've attached a patch:

[diffutils-UMR.diff (application/octet-stream, attachment)]

Message #11 received at 31935 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Hongxu Chen <leftcopy.chx <at> gmail.com>
Cc: 31935 <at> debbugs.gnu.org
Subject: Re: [bug-diffutils] bug#31935: 2 crashes in diffutills commit version
 576645c
Date: Fri, 28 Dec 2018 17:37:12 -0800

[Message part 1 (text/plain, inline)]

On Fri, Dec 28, 2018 at 5:13 PM Jim Meyering <jim <at> meyering.net> wrote:
>
> On Fri, Jun 22, 2018 at 7:49 AM Hongxu Chen <leftcopy.chx <at> gmail.com> wrote:
> >     We found with our fuzzer 2 crashes on diffutils version 576645c: one is a heap-buffer-overflow at util.c:1249, another is an invalid read resulting from `output_1_line' at util.c:1274.
> >     The executing command is: `./diff -a --strip-trailing-cr $file add.wasm` where $file is the poc file (I attached them as  *.input.txt); "add.wasm" is also attached however it seems that content of the comparison file is not important.
>
> Thank you for fuzz-testing diffutils.
> FYI, here is a reproducer for the limit[-1]-related UMR bugs:
>
>   valgrind src/diff -a --strip-trailing-cr <(printf '\r') <(echo a)
>
> I've attached a patch:

That patch was provably incomplete.
I ran this (adding -u to the above) and found one new UMR. Guarding
yet another [-1] reference fixes it.
There are still numerous unguarded [-1] references, so this updated
patch is doubtless still incomplete:

for i in hbo*; do echo $i; valgrind --quiet src/diff -u -a
--strip-trailing-cr $i add.wasm > /dev/null; echo $?; done

[diffutils-UMR.diff (application/octet-stream, attachment)]

Message #14 received at 31935 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Jim Meyering <jim <at> meyering.net>, Hongxu Chen <leftcopy.chx <at> gmail.com>
Cc: 31935 <at> debbugs.gnu.org
Subject: Re: [bug-diffutils] bug#31935: bug#31935: 2 crashes in diffutills
 commit version 576645c
Date: Fri, 28 Dec 2018 19:11:02 -0800

[Message part 1 (text/plain, inline)]

Jim Meyering wrote:
> There are still numerous unguarded [-1] references, so this updated
> patch is doubtless still incomplete:

The real bug was elsewhere, I think. I installed the attached patch. This patch 
lacks your test case, which didn't work for me because there is no 
require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some 
other location?

[0001-diff-fix-UMR-with-strip-trailing-cr.patch (text/x-patch, attachment)]

Message #17 received at 31935 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: 31935 <at> debbugs.gnu.org, Hongxu Chen <leftcopy.chx <at> gmail.com>
Subject: Re: [bug-diffutils] bug#31935: bug#31935: 2 crashes in diffutills
 commit version 576645c
Date: Fri, 28 Dec 2018 21:08:31 -0800

On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
>
> Jim Meyering wrote:
> > There are still numerous unguarded [-1] references, so this updated
> > patch is doubtless still incomplete:
>
> The real bug was elsewhere, I think. I installed the attached patch. This patch
> lacks your test case, which didn't work for me because there is no
> require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some
> other location?

Thanks. Nice patch.
I've pushed the two test-related patches.

Message #22 received at 31935-done <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: 31935-done <at> debbugs.gnu.org, Hongxu Chen <leftcopy.chx <at> gmail.com>
Subject: Re: [bug-diffutils] bug#31935: bug#31935: bug#31935: 2 crashes in
 diffutills commit version 576645c
Date: Fri, 28 Dec 2018 23:15:33 -0800

[Message part 1 (text/plain, inline)]

On Fri, Dec 28, 2018 at 9:20 PM Jim Meyering <jim <at> meyering.net> wrote:
>
> On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
> >
> > Jim Meyering wrote:
> > > There are still numerous unguarded [-1] references, so this updated
> > > patch is doubtless still incomplete:
> >
> > The real bug was elsewhere, I think. I installed the attached patch. This patch
> > lacks your test case, which didn't work for me because there is no
> > require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some
> > other location?
>
> Thanks. Nice patch.
> I've pushed the two test-related patches.

I noticed that the new test would fail when built with ASAN, so will push this:

[umr-test-vs-asan.diff (application/octet-stream, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.